Is HSTS necessary or can I just write .htaccess code to always redirect http to https?

Asked Dec 19 '18 at 10:04

Active Dec 19 '18 at 10:04

Viewed 32 times

Is HTTP Strict Transport Security (HSTS) necessary or can I just write regular .htaccess code to always redirect http to https?

asked Dec 19 '18 at 10:04

Black

2

In short: a HSTS received for a single URL on the site makes sure that all future URL's on the whole domain and even (optionally) subdomains will be HTTPS. A redirect instead affects only this specific URL. Even if this redirect was cached (i.e. a 301 redirect) different URL's on the same domain could be affected by sslstrip or similar. – Steffen Ullrich Dec 19 '18 at 10:17

0 Answers0